devise 5.0.3 → 5.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 40065ae1fdb8a0bdf390bf5c3624b9f68a89ac6dbb21131749d8833325248215
-  data.tar.gz: 432727f7b82b0725c6cfb9fd7776b3ea0fc8d892abd3b44afe3c3753cac3dc6c
+  metadata.gz: c67cfd3438b138fe40dfed1f4898b40b9b1469dbd2d7b4858496110bd3d6a970
+  data.tar.gz: f5e280e647b29a59a52bb6064d30601b053b97f84a1bd2418e998e0454edb57c
 SHA512:
-  metadata.gz: d52c4ee3175dd5c570b396b8391a6c673d33d9d073853142ddbe92399dde2cb94aca45778998fe8f959c503134994d459a00325c0fb0d53e7471e3f0093f37e2
-  data.tar.gz: 49b47ef522f849a98e8a181aea7b3fb84796ec2094d015c30ac0593846570d8accb319d1e4f9e5a1c1c4139f88bf005e8435668e21e105cd6d0c6f0f6ca5af2f
+  metadata.gz: 245df1de08dc984a0caf07700690aa0a2325592b1873bd0ee4ffb539c9b1725b592907b2e3174ad7c48c9c03b40d2c741c52866338949474ee77156ae5a6862c
+  data.tar.gz: 54f318f2e72de3d5744e07fd74a17eaa8605034ebbd0e7c66e42dcac7813d901804a02be6bfe758c22ef2f804aba9d3807de69affa9d6706ee857450940d57af

data/CHANGELOG.md

@@ -1,7 +1,12 @@
+### 5.0.4 - 2026-05-08
+
+* security fixes
+  * Fix open redirect in `FailureApp` via unvalidated `Referer` header on non-GET session timeout. CVE-2026-40295 [GHSA-jp94-3292-c3xv](https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv)
+
 ### 5.0.3 - 2026-03-16
 
 * security fixes
-  * Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 [#5783](https://github.com/heartcombo/devise/pull/5783) [#5784](https://github.com/heartcombo/devise/pull/5784)
+  * Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 [GHSA-57hq-95w6-v4fc](https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc) [#5783](https://github.com/heartcombo/devise/pull/5783) [#5784](https://github.com/heartcombo/devise/pull/5784)
 
 ### 5.0.2 - 2026-02-18
 

data/README.md

@@ -79,7 +79,7 @@ If you have discovered a security related bug, please do *NOT* use the GitHub is
 
 If you have any questions, comments, or concerns, please use StackOverflow instead of the GitHub issue tracker:
 
-http://stackoverflow.com/questions/tagged/devise
+https://stackoverflow.com/questions/tagged/devise
 
 The deprecated mailing lists can still be read on:
 
@@ -90,7 +90,7 @@ https://groups.google.com/group/heartcombo
 
 You can view the Devise documentation in RDoc format here:
 
-http://rubydoc.info/github/heartcombo/devise/main/frames
+https://rubydoc.info/github/heartcombo/devise/main/frames
 
 If you need to use Devise with previous versions of Rails, you can always run "gem server" from the command line after you install the gem to access the old documentation.
 
@@ -745,7 +745,7 @@ config.http_authenticatable = [:database]
 ```
 
 This restriction does not limit you from implementing custom warden strategies, either in your application or via gem-based extensions for devise.
-A common authentication strategy for APIs is token-based authentication. For more information on extending devise to support this type of authentication and others, see the wiki article for [Simple Token Authentication Examples and alternatives](https://github.com/heartcombo/devise/wiki/How-To:-Simple-Token-Authentication-Example#alternatives) or this blog post on [Custom authentication methods with Devise](http://blog.plataformatec.com.br/2019/01/custom-authentication-methods-with-devise/).
+A common authentication strategy for APIs is token-based authentication. For more information on extending devise to support this type of authentication and others, see the wiki article for [Simple Token Authentication Examples and alternatives](https://github.com/heartcombo/devise/wiki/How-To:-Simple-Token-Authentication-Example#alternatives) or this blog post on [Custom authentication methods with Devise](https://blog.plataformatec.com.br/2019/01/custom-authentication-methods-with-devise/).
 
 #### Testing
 API Mode changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb:

data/lib/devise/controllers/store_location.rb

@@ -56,7 +56,7 @@ module Devise
       def extract_path_from_location(location)
         uri = parse_uri(location)
 
-        if uri 
+        if uri && uri.path
           path = remove_domain_from_uri(uri)
           path = add_fragment_back_to_path(uri, path)
 

data/lib/devise/failure_app.rb

@@ -139,7 +139,7 @@ module Devise
         path = if request.get?
           attempted_path
         else
-          request.referrer
+          extract_path_from_location(request.referrer)
         end
 
         path || scope_url

data/lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "5.0.3".freeze
+  VERSION = "5.0.4".freeze
 end

data/lib/generators/devise/orm_helpers.rb

@@ -25,11 +25,7 @@ CONTENT
       end
 
       def migration_path
-        if Rails.version >= '5.0.3'
-          db_migrate_path
-        else
-          @migration_path ||= File.join("db", "migrate")
-        end
+        db_migrate_path
       end
 
       def model_path

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
-  version: 5.0.3
+  version: 5.0.4
 platform: ruby
 authors:
 - José Valim
@@ -221,7 +221,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 4.0.8
 specification_version: 4
 summary: Flexible authentication solution for Rails with Warden
 test_files: []